Cleanup actions/checkout@v6 auth style (#2301 )

2025-11-13 15:22:10 -06:00
24 changed files with 1198 additions and 1221 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,20 @@
 ---
 version: 2
 updates:
 - package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"
  groups:
    minor-npm-dependencies:
      # NPM: Only group minor and patch updates (we want to carefully review major updates)
      update-types: [minor, patch]
 - package-ecosystem: "github-actions"
  directory: "/"
  schedule:
    interval: "weekly"
  groups:
    minor-actions-dependencies:
      # GitHub Actions: Only group minor and patch updates (we want to carefully review major updates)
      update-types: [minor, patch]
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -0,0 +1,51 @@
 # `dist/index.js` is a special file in Actions.
 # When you reference an action with `uses:` in a workflow,
 # `index.js` is the code that will run.
 # For our project, we generate this file through a build process
 # from other source files.
 # We need to make sure the checked-in `index.js` actually matches what we expect it to be.
 name: Check dist
 on:
  push:
    branches:
      - main
    paths-ignore:
      - '**.md'
  pull_request:
    paths-ignore:
      - '**.md'
  workflow_dispatch:
 jobs:
  check-dist:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4.1.6
      - name: Set Node.js 24.x
        uses: actions/setup-node@v4
        with:
          node-version: 24.x
      - name: Install dependencies
        run: npm ci
      - name: Rebuild the index.js file
        run: npm run build
      - name: Compare the expected and actual dist/ directories
        run: |
          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
            echo "Detected uncommitted changes after build.  See status below:"
            git diff
            exit 1
          fi
      # If dist/ was different than expected, upload the expected version as an artifact
      - uses: actions/upload-artifact@v4
        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
        with:
          name: dist
          path: dist/
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,58 @@
 # For most projects, this workflow file will not need changing; you simply need
 # to commit it to your repository.
 #
 # You may wish to alter this file to override the set of languages analyzed,
 # or to provide custom queries or build logic.
 #
 # ******** NOTE ********
 # We have attempted to detect the languages in your repository. Please check
 # the `language` matrix defined below to confirm you have the correct set of
 # supported CodeQL languages.
 #
 name: "CodeQL"
 on:
  push:
    branches: [ main ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ main ]
  schedule:
    - cron: '28 9 * * 0'
 jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
        # Learn more:
        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4.1.6
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main
    - run: npm ci
    - run: npm run build
    - run: rm -rf dist # We want code scanning to analyze lib instead (individual .js files)
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
--- a/.github/workflows/licensed.yml
+++ b/.github/workflows/licensed.yml
@@ -0,0 +1,14 @@
 name: Licensed
 on:
  push: {branches: main}
  pull_request: {branches: main}
 jobs:
  test:
    runs-on: ubuntu-latest
    name: Check licenses
    steps:
      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run licensed-check
--- a/.github/workflows/publish-immutable-actions.yml
+++ b/.github/workflows/publish-immutable-actions.yml
@@ -0,0 +1,20 @@
 name: 'Publish Immutable Action Version'
 on:
  release:
    types: [published]
 jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    steps:
      - name: Checking out
        uses: actions/checkout@v4
      - name: Publish
        id: publish
        uses: actions/publish-immutable-action@0.0.3
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,331 @@
 name: Build and Test
 on:
  pull_request:
  push:
    branches:
      - main
      - releases/*
 # Note that when you see patterns like "ref: test-data/v2/basic" within this workflow,
 # these refer to "test-data" branches on this actions/checkout repo.
 # (For example, test-data/v2/basic -> https://github.com/actions/checkout/tree/test-data/v2/basic)
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-node@v4
        with:
          node-version: 24.x
      - uses: actions/checkout@v4.1.6
      - run: npm ci
      - run: npm run build
      - run: npm run format-check
      - run: npm run lint
      - run: npm test
      - name: Verify no unstaged changes
        run: __test__/verify-no-unstaged-changes.sh
  test:
    strategy:
      matrix:
        runs-on: [ubuntu-latest, macos-latest, windows-latest]
    runs-on: ${{ matrix.runs-on }}
    steps:
      # Clone this repo
      - name: Checkout
        uses: actions/checkout@v4.1.6
      # Basic checkout
      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        shell: bash
        run: __test__/verify-basic.sh
      # Clean
      - name: Modify work tree
        shell: bash
        run: __test__/modify-work-tree.sh
      - name: Checkout clean
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify clean
        shell: bash
        run: __test__/verify-clean.sh
      # Side by side
      - name: Checkout side by side 1
        uses: ./
        with:
          ref: test-data/v2/side-by-side-1
          path: side-by-side-1
      - name: Checkout side by side 2
        uses: ./
        with:
          ref: test-data/v2/side-by-side-2
          path: side-by-side-2
      - name: Verify side by side
        shell: bash
        run: __test__/verify-side-by-side.sh
      # Filter
      - name: Fetch filter
        uses: ./
        with:
          filter: 'blob:none'
          path: fetch-filter
      - name: Verify fetch filter
        run: __test__/verify-fetch-filter.sh
      # Sparse checkout
      - name: Sparse checkout
        uses: ./
        with:
          sparse-checkout: |
            __test__
            .github
            dist
          path: sparse-checkout
      - name: Verify sparse checkout
        run: __test__/verify-sparse-checkout.sh
      # Disabled sparse checkout in existing checkout
      - name: Disabled sparse checkout
        uses: ./
        with:
          path: sparse-checkout
      - name: Verify disabled sparse checkout
        shell: bash
        run: set -x && ls -l sparse-checkout/src/git-command-manager.ts
      # Sparse checkout (non-cone mode)
      - name: Sparse checkout (non-cone mode)
        uses: ./
        with:
          sparse-checkout: |
            /__test__/
            /.github/
            /dist/
          sparse-checkout-cone-mode: false
          path: sparse-checkout-non-cone-mode
      - name: Verify sparse checkout (non-cone mode)
        run: __test__/verify-sparse-checkout-non-cone-mode.sh
      # LFS
      - name: Checkout LFS
        uses: ./
        with:
          repository: actions/checkout # hardcoded, otherwise doesn't work from a fork
          ref: test-data/v2/lfs
          path: lfs
          lfs: true
      - name: Verify LFS
        shell: bash
        run: __test__/verify-lfs.sh
      # Submodules false
      - name: Checkout submodules false
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-false
      - name: Verify submodules false
        run: __test__/verify-submodules-false.sh
      # Submodules one level
      - name: Checkout submodules true
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-true
          submodules: true
      - name: Verify submodules true
        run: __test__/verify-submodules-true.sh
      # Submodules recursive
      - name: Checkout submodules recursive
        uses: ./
        with:
          ref: test-data/v2/submodule-ssh-url
          path: submodules-recursive
          submodules: recursive
      - name: Verify submodules recursive
        run: __test__/verify-submodules-recursive.sh
      # Basic checkout using REST API
      - name: Remove basic
        if: runner.os != 'windows'
        run: rm -rf basic
      - name: Remove basic (Windows)
        if: runner.os == 'windows'
        shell: cmd
        run: rmdir /s /q basic
      - name: Override git version
        if: runner.os != 'windows'
        run: __test__/override-git-version.sh
      - name: Override git version (Windows)
        if: runner.os == 'windows'
        run: __test__\\override-git-version.cmd
      - name: Checkout basic using REST API
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh --archive
  test-proxy:
    runs-on: ubuntu-latest
    container:
      image: ghcr.io/actions/test-ubuntu-git:main.20240221.114913.703z
      options: --dns 127.0.0.1
    services:
      squid-proxy:
        image: ubuntu/squid:latest
        ports:
          - 3128:3128
    env:
      https_proxy: http://squid-proxy:3128
    steps:
      # Clone this repo
      - name: Checkout
        uses: actions/checkout@v4.1.6
      # Basic checkout using git
      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh
      # Basic checkout using REST API
      - name: Remove basic
        run: rm -rf basic
      - name: Override git version
        run: __test__/override-git-version.sh
      - name: Basic checkout using REST API
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh --archive
  test-bypass-proxy:
    runs-on: ubuntu-latest
    env:
      https_proxy: http://no-such-proxy:3128
      no_proxy: api.github.com,github.com
    steps:
      # Clone this repo
      - name: Checkout
        uses: actions/checkout@v4.1.6
      # Basic checkout using git
      - name: Checkout basic
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh
      - name: Remove basic
        run: rm -rf basic
      # Basic checkout using REST API
      - name: Override git version
        run: __test__/override-git-version.sh
      - name: Checkout basic using REST API
        uses: ./
        with:
          ref: test-data/v2/basic
          path: basic
      - name: Verify basic
        run: __test__/verify-basic.sh --archive
  test-git-container:
    runs-on: ubuntu-latest
    container: bitnami/git:latest
    steps:
      # Clone this repo
      - name: Checkout
        uses: actions/checkout@v4.1.6
        with:
          path: localClone
      # Basic checkout using git
      - name: Checkout basic
        uses: ./localClone
        with:
          ref: test-data/v2/basic
      - name: Verify basic
        run: |
          if [ ! -f "./basic-file.txt" ]; then
              echo "Expected basic file does not exist"
              exit 1
          fi
          # Verify .git folder
          if [ ! -d "./.git" ]; then
            echo "Expected ./.git folder to exist"
            exit 1
          fi
          # Verify auth token
          git config --global --add safe.directory "*"
          git fetch --no-tags --depth=1 origin +refs/heads/main:refs/remotes/origin/main
      # needed to make checkout post cleanup succeed
      - name: Fix Checkout v4
        uses: actions/checkout@v4.1.6
        with:
          path: localClone
  test-output:
    runs-on: ubuntu-latest
    steps:
      # Clone this repo
      - name: Checkout
        uses: actions/checkout@v4.1.6
      # Basic checkout using git
      - name: Checkout basic
        id: checkout
        uses: ./
        with:
          ref: test-data/v2/basic
      # Verify output
      - name: Verify output
        run: |
          echo "Commit: ${{ steps.checkout.outputs.commit }}"
          echo "Ref: ${{ steps.checkout.outputs.ref }}"
          if [ "${{ steps.checkout.outputs.ref }}" != "test-data/v2/basic" ]; then
            echo "Expected ref to be test-data/v2/basic"
            exit 1
          fi
          if [ "${{ steps.checkout.outputs.commit }}" != "82f71901cf8c021332310dcc8cdba84c4193ff5d" ]; then
            echo "Expected commit to be 82f71901cf8c021332310dcc8cdba84c4193ff5d"
            exit 1
          fi
      # needed to make checkout post cleanup succeed
      - name: Fix Checkout
        uses: actions/checkout@v4.1.6
--- a/.github/workflows/update-main-version.yml
+++ b/.github/workflows/update-main-version.yml
@@ -0,0 +1,36 @@
 name: Update Main Version
 run-name: Move ${{ github.event.inputs.major_version }} to ${{ github.event.inputs.target }}
 on:
  workflow_dispatch:
    inputs:
      target:
        description: The tag or reference to use
        required: true
      major_version:
        type: choice
        description: The major version to update
        options:
          - v5
          - v4
          - v3
          - v2
 jobs:
  tag:
    runs-on: ubuntu-latest
    steps:
    # Note this update workflow can also be used as a rollback tool.
    # For that reason, it's best to pin `actions/checkout` to a known, stable version
    # (typically, about two releases back).
    - uses: actions/checkout@v4.1.6
      with:
        fetch-depth: 0
    - name: Git config
      run: |
        git config user.name "github-actions[bot]"
        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
    - name: Tag new target
      run: git tag -f ${{ github.event.inputs.major_version }} ${{ github.event.inputs.target }}
    - name: Push new tag
      run: git push origin ${{ github.event.inputs.major_version }} --force
--- a/.github/workflows/update-test-ubuntu-git.yml
+++ b/.github/workflows/update-test-ubuntu-git.yml
@@ -0,0 +1,59 @@
 name: Publish test-ubuntu-git Container
 on:
  # Use an on demand workflow trigger.  
  # (Forked copies of actions/checkout won't have permission to update GHCR.io/actions, 
  #  so avoid trigger events that run automatically.)
  workflow_dispatch:
    inputs:
      publish:
        description:  'Publish to ghcr.io? (main branch only)'
        type: boolean
        required: true
        default: false
 env:
  REGISTRY: ghcr.io
  IMAGE_NAME: actions/test-ubuntu-git
 jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      # Use `docker/login-action` to log in to GHCR.io. 
      # Once published, the packages are scoped to the account defined here.
      - name: Log in to the ghcr.io container registry
        uses: docker/login-action@v3.3.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Format Timestamp
        id: timestamp
        # Use `date` with a custom format to achieve the key=value format GITHUB_OUTPUT expects.
        run: date -u "+now=%Y%m%d.%H%M%S.%3NZ" >> "$GITHUB_OUTPUT"
      - name: Issue Image Publish Warning
        if:  ${{ inputs.publish && github.ref_name != 'main' }}
        run: echo "::warning::test-ubuntu-git images can only be published from the actions/checkout 'main' branch.  Workflow will continue with push/publish disabled."
      # Use `docker/build-push-action` to build (and optionally publish) the image. 
      - name: Build Docker Image (with optional Push)
        uses: docker/build-push-action@v6.5.0
        with:
          context: .
          file: images/test-ubuntu-git.Dockerfile
          # For now, attempts to push to ghcr.io must target the `main` branch.
          # In the future, consider also allowing attempts from `releases/*` branches.
          push: ${{ inputs.publish && github.ref_name == 'main' }}
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}.${{ steps.timestamp.outputs.now }}
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,25 +1,10 @@
 # Changelog
-## v6.0.2
+## V5.0.0
 * Fix tag handling: preserve annotations and explicit fetch-tags by @ericsciple in https://github.com/actions/checkout/pull/2356
 ## v6.0.1
 * Add worktree support for persist-credentials includeIf by @ericsciple in https://github.com/actions/checkout/pull/2327
 ## v6.0.0
 * Persist creds to a separate file by @ericsciple in https://github.com/actions/checkout/pull/2286
 * Update README to include Node.js 24 support details and requirements by @salmanmkc in https://github.com/actions/checkout/pull/2248
 ## v5.0.1
 * Port v6 cleanup to v5 by @ericsciple in https://github.com/actions/checkout/pull/2301
 ## v5.0.0
 * Update actions checkout to use node 24 by @salmanmkc in https://github.com/actions/checkout/pull/2226
 ## v4.3.1
 * Port v6 cleanup to v4 by @ericsciple in https://github.com/actions/checkout/pull/2305
-## v4.3.0
+## V4.3.0
 * docs: update README.md by @motss in https://github.com/actions/checkout/pull/1971
 * Add internal repos for checking out multiple repositories by @mouismail in https://github.com/actions/checkout/pull/1977
 * Documentation update - add recommended permissions to Readme by @benwells in https://github.com/actions/checkout/pull/2043
--- a/README.md
+++ b/README.md
@@ -1,22 +1,10 @@
 [![Build and Test](https://github.com/actions/checkout/actions/workflows/test.yml/badge.svg)](https://github.com/actions/checkout/actions/workflows/test.yml)
-# Checkout v6
+# Checkout V5
-## What's new
+Checkout v5 now supports Node.js 24
- Improved credential security: `persist-credentials` now stores credentials in a separate file under `$RUNNER_TEMP` instead of directly in `.git/config`
+# Checkout V4
 - No workflow changes required — `git fetch`, `git push`, etc. continue to work automatically
 - Running authenticated git commands from a [Docker container action](https://docs.github.com/actions/sharing-automations/creating-actions/creating-a-docker-container-action) requires Actions Runner [v2.329.0](https://github.com/actions/runner/releases/tag/v2.329.0) or later
 # Checkout v5
 ## What's new
 - Updated to the node24 runtime
  - This requires a minimum Actions Runner version of [v2.327.1](https://github.com/actions/runner/releases/tag/v2.327.1) to run.
 # Checkout v4
 This action checks-out your repository under `$GITHUB_WORKSPACE`, so your workflow can access it.
@@ -52,7 +40,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 <!-- start usage -->
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    # Repository name with owner. For example, actions/checkout
    # Default: ${{ github.repository }}
@@ -166,10 +154,9 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 # Scenarios
 - [Checkout V5](#checkout-v5)
  - [What's new](#whats-new)
 - [Checkout V4](#checkout-v4)
    - [Note](#note)
- [What's new](#whats-new-1)
+- [What's new](#whats-new)
 - [Usage](#usage)
 - [Scenarios](#scenarios)
  - [Fetch only the root files](#fetch-only-the-root-files)
@@ -191,7 +178,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: .
 ```
@@ -199,7 +186,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only the root files and `.github` and `src` folder
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      .github
@@ -209,7 +196,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch only a single file
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    sparse-checkout: |
      README.md
@@ -219,7 +206,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Fetch all history for all tags and branches
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 0
 ```
@@ -227,7 +214,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout a different branch
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: my-branch
 ```
@@ -235,7 +222,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout HEAD^
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    fetch-depth: 2
 - run: git checkout HEAD^
@@ -245,12 +232,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -261,10 +248,10 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
 - name: Checkout tools repo
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-tools
    path: my-tools
@@ -275,12 +262,12 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ```yaml
 - name: Checkout
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    path: main
 - name: Checkout private tools
-  uses: actions/checkout@v6
+  uses: actions/checkout@v5
  with:
    repository: my-org/my-private-tools
    token: ${{ secrets.GH_PAT }} # `GH_PAT` is a secret that contains your PAT
@@ -293,7 +280,7 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
 ## Checkout pull request HEAD commit instead of merge commit
 ```yaml
- uses: actions/checkout@v6
+- uses: actions/checkout@v5
  with:
    ref: ${{ github.event.pull_request.head.sha }}
 ```
@@ -309,7 +296,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
 ```
 ## Push a commit using the built-in token
@@ -320,7 +307,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
      - run: |
          date > generated.txt
          # Note: the following account information will not work on GHES
@@ -342,7 +329,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v5
        with:
          ref: ${{ github.head_ref }}
      - run: |
--- a/test/git-auth-helper.test.ts
+++ b/test/git-auth-helper.test.ts
@@ -86,29 +86,16 @@ describe('git-auth-helper tests', () => {
    // Act
    await authHelper.configureAuth()
-    // Assert config - check that .git/config contains includeIf entries
+    // Assert config
-    const localConfigContent = (
+    const configContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(
      localConfigContent.indexOf('includeIf.gitdir:')
    ).toBeGreaterThanOrEqual(0)
    // Assert credentials config file contains the actual credentials
    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
      f => f.startsWith('git-credentials-') && f.endsWith('.config')
    )
    expect(credentialsFiles.length).toBe(1)
    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
    const credentialsContent = (
      await fs.promises.readFile(credentialsConfigPath)
    ).toString()
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    expect(
-      credentialsContent.indexOf(
+      configContent.indexOf(
        `http.${expectedServerUrl}/.extraheader AUTHORIZATION: basic ${basicCredential}`
      )
    ).toBeGreaterThanOrEqual(0)
@@ -133,7 +120,7 @@ describe('git-auth-helper tests', () => {
    'inject https://github.com as github server url'
  it(configureAuth_AcceptsGitHubServerUrlSetToGHEC, async () => {
    await testAuthHeader(
-      configureAuth_AcceptsGitHubServerUrlSetToGHEC,
+      configureAuth_AcceptsGitHubServerUrl,
      'https://github.com'
    )
  })
@@ -154,17 +141,12 @@ describe('git-auth-helper tests', () => {
      // Act
      await authHelper.configureAuth()
-      // Assert config - check credentials config file (not local .git/config)
+      // Assert config
-      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+      const configContent = (
-        f => f.startsWith('git-credentials-') && f.endsWith('.config')
+        await fs.promises.readFile(localGitConfigPath)
      )
      expect(credentialsFiles.length).toBe(1)
      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
      const credentialsContent = (
        await fs.promises.readFile(credentialsConfigPath)
      ).toString()
      expect(
-        credentialsContent.indexOf(
+        configContent.indexOf(
          `http.https://github.com/.extraheader AUTHORIZATION`
        )
      ).toBeGreaterThanOrEqual(0)
@@ -269,16 +251,13 @@ describe('git-auth-helper tests', () => {
      expectedSshCommand
    )
-    // Assert git config
+    // Asserty git config
    const gitConfigLines = (await fs.promises.readFile(localGitConfigPath))
      .toString()
      .split('\n')
      .filter(x => x)
-    // Should have includeIf entries pointing to credentials file
+    expect(gitConfigLines).toHaveLength(1)
-    expect(gitConfigLines.length).toBeGreaterThan(0)
+    expect(gitConfigLines[0]).toMatch(/^http\./)
    expect(
      gitConfigLines.some(line => line.indexOf('includeIf.gitdir:') >= 0)
    ).toBeTruthy()
  })
  const configureAuth_setsSshCommandWhenPersistCredentialsTrue =
@@ -440,20 +419,8 @@ describe('git-auth-helper tests', () => {
    expect(
      configContent.indexOf('value-from-global-config')
    ).toBeGreaterThanOrEqual(0)
    // Global config should have include.path pointing to credentials file
    expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
    // Check credentials in the separate config file
    const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
      f => f.startsWith('git-credentials-') && f.endsWith('.config')
    )
    expect(credentialsFiles.length).toBeGreaterThan(0)
    const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
    const credentialsContent = (
      await fs.promises.readFile(credentialsConfigPath)
    ).toString()
    expect(
-      credentialsContent.indexOf(
+      configContent.indexOf(
        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
      )
    ).toBeGreaterThanOrEqual(0)
@@ -496,20 +463,8 @@ describe('git-auth-helper tests', () => {
      const configContent = (
        await fs.promises.readFile(path.join(git.env['HOME'], '.gitconfig'))
      ).toString()
      // Global config should have include.path pointing to credentials file
      expect(configContent.indexOf('include.path')).toBeGreaterThanOrEqual(0)
      // Check credentials in the separate config file
      const credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
        f => f.startsWith('git-credentials-') && f.endsWith('.config')
      )
      expect(credentialsFiles.length).toBeGreaterThan(0)
      const credentialsConfigPath = path.join(runnerTemp, credentialsFiles[0])
      const credentialsContent = (
        await fs.promises.readFile(credentialsConfigPath)
      ).toString()
      expect(
-        credentialsContent.indexOf(
+        configContent.indexOf(
          `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
        )
      ).toBeGreaterThanOrEqual(0)
@@ -595,15 +550,15 @@ describe('git-auth-helper tests', () => {
      await authHelper.configureSubmoduleAuth()
      // Assert
-      // Should configure insteadOf (2 calls for two values)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(4)
      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
        /unset-all.*insteadOf/
      )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
        /url.*insteadOf.*git@github.com:/
      )
-      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(
+      expect(mockSubmoduleForeach.mock.calls[3][0]).toMatch(
        /url.*insteadOf.*org-123456@github.com:/
      )
    }
@@ -634,12 +589,12 @@ describe('git-auth-helper tests', () => {
      await authHelper.configureSubmoduleAuth()
      // Assert
-      // Should configure sshCommand (1 call)
+      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(3)
      expect(mockSubmoduleForeach).toHaveBeenCalledTimes(2)
      expect(mockSubmoduleForeach.mock.calls[0][0]).toMatch(
        /unset-all.*insteadOf/
      )
-      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/core\.sshCommand/)
+      expect(mockSubmoduleForeach.mock.calls[1][0]).toMatch(/http.*extraheader/)
      expect(mockSubmoduleForeach.mock.calls[2][0]).toMatch(/core\.sshCommand/)
    }
  )
@@ -705,81 +660,112 @@ describe('git-auth-helper tests', () => {
    await setup(removeAuth_removesToken)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
-
+    let gitConfigContent = (
    // Verify includeIf entries exist in local config
    let localConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
-    expect(
+    expect(gitConfigContent.indexOf('http.')).toBeGreaterThanOrEqual(0) // sanity check
      localConfigContent.indexOf('includeIf.gitdir:')
    ).toBeGreaterThanOrEqual(0)
    // Verify both host and container includeIf entries are present
    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
    expect(
      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
    ).toBeGreaterThanOrEqual(0)
    expect(
      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
    ).toBeGreaterThanOrEqual(0)
    // Verify credentials file exists
    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
      f => f.startsWith('git-credentials-') && f.endsWith('.config')
    )
    expect(credentialsFiles.length).toBe(1)
    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
    // Verify credentials file contains the auth token
    let credentialsContent = (
      await fs.promises.readFile(credentialsFilePath)
    ).toString()
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    expect(
      credentialsContent.indexOf(
        `http.https://github.com/.extraheader AUTHORIZATION: basic ${basicCredential}`
      )
    ).toBeGreaterThanOrEqual(0)
    // Verify the includeIf entries point to the credentials file
    const containerCredentialsPath = path.posix.join(
      '/github/runner_temp',
      path.basename(credentialsFilePath)
    )
    expect(
      localConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    expect(
      localConfigContent.indexOf(containerCredentialsPath)
    ).toBeGreaterThanOrEqual(0)
    // Act
    await authHelper.removeAuth()
-    // Assert all includeIf entries removed from local git config
+    // Assert git config
-    localConfigContent = (
+    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
-    expect(localConfigContent.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(gitConfigContent.indexOf('http.')).toBeLessThan(0)
  })
  const removeAuth_removesV6StyleCredentials =
    'removeAuth removes v6 style credentials'
  it(removeAuth_removesV6StyleCredentials, async () => {
    // Arrange
    await setup(removeAuth_removesV6StyleCredentials)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Manually create v6-style credentials that would be left by v6
    const credentialsFileName =
      'git-credentials-12345678-1234-1234-1234-123456789abc.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf entries to local git config (simulating v6 configuration)
    const hostGitDir = path.join(workspace, '.git').replace(/\\/g, '/')
    await fs.promises.appendFile(
      localGitConfigPath,
      `[includeIf "gitdir:${hostGitDir}/"]\n\tpath = ${credentialsFilePath}\n`
    )
    await fs.promises.appendFile(
      localGitConfigPath,
      `[includeIf "gitdir:/github/workspace/.git/"]\n\tpath = /github/runner_temp/${credentialsFileName}\n`
    )
    // Verify v6 style config exists
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    expect(
-      localConfigContent.indexOf(`includeIf.gitdir:${hostGitDir}.path`)
+      gitConfigContent.indexOf(credentialsFilePath)
-    ).toBeLessThan(0)
+    ).toBeGreaterThanOrEqual(0)
-    expect(
+    await fs.promises.stat(credentialsFilePath) // Verify file exists
-      localConfigContent.indexOf('includeIf.gitdir:/github/workspace/.git.path')
+
-    ).toBeLessThan(0)
+    // Mock the git methods to handle v6 cleanup
-    expect(localConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
+    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
-    expect(localConfigContent.indexOf(containerCredentialsPath)).toBeLessThan(0)
+    mockTryGetConfigKeys.mockResolvedValue([
      `includeIf.gitdir:${hostGitDir}/.path`,
      'includeIf.gitdir:/github/workspace/.git/.path'
    ])
    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
    mockTryGetConfigValues.mockImplementation(async (key: string) => {
      if (key === `includeIf.gitdir:${hostGitDir}/.path`) {
        return [credentialsFilePath]
      }
      if (key === 'includeIf.gitdir:/github/workspace/.git/.path') {
        return [`/github/runner_temp/${credentialsFileName}`]
      }
      return []
    })
    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
      any,
      any
    >
    mockTryConfigUnsetValue.mockImplementation(
      async (
        key: string,
        value: string,
        globalConfig?: boolean,
        configPath?: string
      ) => {
        const targetPath = configPath || localGitConfigPath
        let content = await fs.promises.readFile(targetPath, 'utf8')
        // Remove the includeIf section
        const lines = content
          .split('\n')
          .filter(line => !line.includes('includeIf') && !line.includes(value))
        await fs.promises.writeFile(targetPath, lines.join('\n'))
        return true
      }
    )
    // Act
    await authHelper.removeAuth()
    // Assert includeIf entries removed from local git config
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeLessThan(0)
    expect(gitConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
    // Assert credentials config file deleted
    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
      f => f.startsWith('git-credentials-') && f.endsWith('.config')
    )
    expect(credentialsFiles.length).toBe(0)
    // Verify credentials file no longer exists on disk
    try {
      await fs.promises.stat(credentialsFilePath)
      throw new Error('Credentials file should have been deleted')
@@ -790,108 +776,113 @@ describe('git-auth-helper tests', () => {
    }
  })
-  const removeAuth_removesTokenFromSubmodules =
+  const removeAuth_removesV6StyleCredentialsFromSubmodules =
-    'removeAuth removes token from submodules'
+    'removeAuth removes v6 style credentials from submodules'
-  it(removeAuth_removesTokenFromSubmodules, async () => {
+  it(removeAuth_removesV6StyleCredentialsFromSubmodules, async () => {
    // Arrange
-    await setup(removeAuth_removesTokenFromSubmodules)
+    await setup(removeAuth_removesV6StyleCredentialsFromSubmodules)
    // Create fake submodule config paths
    const submodule1Dir = path.join(workspace, '.git', 'modules', 'submodule-1')
    const submodule2Dir = path.join(workspace, '.git', 'modules', 'submodule-2')
    const submodule1ConfigPath = path.join(submodule1Dir, 'config')
    const submodule2ConfigPath = path.join(submodule2Dir, 'config')
    await fs.promises.mkdir(submodule1Dir, {recursive: true})
    await fs.promises.mkdir(submodule2Dir, {recursive: true})
    await fs.promises.writeFile(submodule1ConfigPath, '')
    await fs.promises.writeFile(submodule2ConfigPath, '')
    // Mock getSubmoduleConfigPaths to return our fake submodules (for both configure and remove)
    const mockGetSubmoduleConfigPaths =
      git.getSubmoduleConfigPaths as jest.Mock<any, any>
    mockGetSubmoduleConfigPaths.mockResolvedValue([
      submodule1ConfigPath,
      submodule2ConfigPath
    ])
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    await authHelper.configureSubmoduleAuth()
-    // Verify credentials file exists
+    // Create v6-style credentials file
-    let credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
+    const credentialsFileName =
-      f => f.startsWith('git-credentials-') && f.endsWith('.config')
+      'git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const basicCredential = Buffer.from(
      `x-access-token:${settings.authToken}`,
      'utf8'
    ).toString('base64')
    const credentialsContent = `[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic ${basicCredential}\n`
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf entries to submodule config
    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
    await fs.promises.appendFile(
      submodule1ConfigPath,
      `[includeIf "gitdir:${submodule1GitDir}/"]\n\tpath = ${credentialsFilePath}\n`
    )
    expect(credentialsFiles.length).toBe(1)
    const credentialsFilePath = path.join(runnerTemp, credentialsFiles[0])
-    // Verify submodule 1 config has includeIf entries
+    // Verify submodule config has includeIf entry
-    let submodule1Content = (
+    let submoduleConfigContent = (
      await fs.promises.readFile(submodule1ConfigPath)
    ).toString()
-    const submodule1GitDir = submodule1Dir.replace(/\\/g, '/')
+    expect(submoduleConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(
-    expect(
+      0
      submodule1Content.indexOf(`includeIf.gitdir:${submodule1GitDir}.path`)
    ).toBeGreaterThanOrEqual(0)
    expect(
      submodule1Content.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    // Verify submodule 2 config has includeIf entries
    let submodule2Content = (
      await fs.promises.readFile(submodule2ConfigPath)
    ).toString()
    const submodule2GitDir = submodule2Dir.replace(/\\/g, '/')
    expect(
      submodule2Content.indexOf(`includeIf.gitdir:${submodule2GitDir}.path`)
    ).toBeGreaterThanOrEqual(0)
    expect(
      submodule2Content.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    // Verify both host and container paths are in each submodule config
    const containerCredentialsPath = path.posix.join(
      '/github/runner_temp',
      path.basename(credentialsFilePath)
    )
    expect(
-      submodule1Content.indexOf(containerCredentialsPath)
+      submoduleConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    expect(
      submodule2Content.indexOf(containerCredentialsPath)
    ).toBeGreaterThanOrEqual(0)
-    // Act - ensure mock persists for removeAuth
+    // Mock getSubmoduleConfigPaths
-    mockGetSubmoduleConfigPaths.mockResolvedValue([
+    const mockGetSubmoduleConfigPaths =
-      submodule1ConfigPath,
+      git.getSubmoduleConfigPaths as jest.Mock<any, any>
-      submodule2ConfigPath
+    mockGetSubmoduleConfigPaths.mockResolvedValue([submodule1ConfigPath])
-    ])
+
    // Mock tryGetConfigKeys for submodule
    const mockTryGetConfigKeys = git.tryGetConfigKeys as jest.Mock<any, any>
    mockTryGetConfigKeys.mockImplementation(
      async (pattern: string, globalConfig?: boolean, configPath?: string) => {
        if (configPath === submodule1ConfigPath) {
          return [`includeIf.gitdir:${submodule1GitDir}/.path`]
        }
        return []
      }
    )
    // Mock tryGetConfigValues for submodule
    const mockTryGetConfigValues = git.tryGetConfigValues as jest.Mock<any, any>
    mockTryGetConfigValues.mockImplementation(
      async (key: string, globalConfig?: boolean, configPath?: string) => {
        if (
          configPath === submodule1ConfigPath &&
          key === `includeIf.gitdir:${submodule1GitDir}/.path`
        ) {
          return [credentialsFilePath]
        }
        return []
      }
    )
    // Mock tryConfigUnsetValue for submodule
    const mockTryConfigUnsetValue = git.tryConfigUnsetValue as jest.Mock<
      any,
      any
    >
    mockTryConfigUnsetValue.mockImplementation(
      async (
        key: string,
        value: string,
        globalConfig?: boolean,
        configPath?: string
      ) => {
        const targetPath = configPath || localGitConfigPath
        let content = await fs.promises.readFile(targetPath, 'utf8')
        const lines = content
          .split('\n')
          .filter(line => !line.includes('includeIf') && !line.includes(value))
        await fs.promises.writeFile(targetPath, lines.join('\n'))
        return true
      }
    )
    // Act
    await authHelper.removeAuth()
-    // Assert submodule 1 includeIf entries removed
+    // Assert submodule includeIf entries removed
-    submodule1Content = (
+    submoduleConfigContent = (
      await fs.promises.readFile(submodule1ConfigPath)
    ).toString()
-    expect(submodule1Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
+    expect(submoduleConfigContent.indexOf('includeIf')).toBeLessThan(0)
-    expect(submodule1Content.indexOf(credentialsFilePath)).toBeLessThan(0)
+    expect(submoduleConfigContent.indexOf(credentialsFilePath)).toBeLessThan(0)
    expect(submodule1Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
-    // Assert submodule 2 includeIf entries removed
+    // Assert credentials file deleted
    submodule2Content = (
      await fs.promises.readFile(submodule2ConfigPath)
    ).toString()
    expect(submodule2Content.indexOf('includeIf.gitdir:')).toBeLessThan(0)
    expect(submodule2Content.indexOf(credentialsFilePath)).toBeLessThan(0)
    expect(submodule2Content.indexOf(containerCredentialsPath)).toBeLessThan(0)
    // Assert credentials config file deleted
    credentialsFiles = (await fs.promises.readdir(runnerTemp)).filter(
      f => f.startsWith('git-credentials-') && f.endsWith('.config')
    )
    expect(credentialsFiles.length).toBe(0)
    // Verify credentials file no longer exists on disk
    try {
      await fs.promises.stat(credentialsFilePath)
      throw new Error('Credentials file should have been deleted')
@@ -902,6 +893,65 @@ describe('git-auth-helper tests', () => {
    }
  })
  const removeAuth_skipsV6CleanupWhenEnvVarSet =
    'removeAuth skips v6 cleanup when ACTIONS_CHECKOUT_SKIP_V6_CLEANUP is set'
  it(removeAuth_skipsV6CleanupWhenEnvVarSet, async () => {
    // Arrange
    await setup(removeAuth_skipsV6CleanupWhenEnvVarSet)
    // Set the skip environment variable
    process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'] = '1'
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    await authHelper.configureAuth()
    // Create v6-style credentials file in RUNNER_TEMP
    const credentialsFileName = 'git-credentials-test-uuid-1234-5678.config'
    const credentialsFilePath = path.join(runnerTemp, credentialsFileName)
    const credentialsContent =
      '[http "https://github.com/"]\n\textraheader = AUTHORIZATION: basic token\n'
    await fs.promises.writeFile(credentialsFilePath, credentialsContent)
    // Add includeIf section to local git config (separate from http.* config)
    const includeIfSection = `\n[includeIf "gitdir:/some/path/.git/"]\n\tpath = ${credentialsFilePath}\n`
    await fs.promises.appendFile(localGitConfigPath, includeIfSection)
    // Verify v6 style config exists
    let gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    await fs.promises.stat(credentialsFilePath) // Verify file exists
    // Act
    await authHelper.removeAuth()
    // Assert v5 cleanup still happened (http.* removed)
    gitConfigContent = (
      await fs.promises.readFile(localGitConfigPath)
    ).toString()
    expect(
      gitConfigContent.indexOf('http.https://github.com/.extraheader')
    ).toBeLessThan(0)
    // Assert v6 cleanup was skipped - includeIf should still be present
    expect(gitConfigContent.indexOf('includeIf')).toBeGreaterThanOrEqual(0)
    expect(
      gitConfigContent.indexOf(credentialsFilePath)
    ).toBeGreaterThanOrEqual(0)
    // Assert credentials file still exists (wasn't deleted)
    await fs.promises.stat(credentialsFilePath) // File should still exist
    // Assert debug message was logged
    expect(core.debug).toHaveBeenCalledWith(
      'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
    )
    // Cleanup
    delete process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
  })
  const removeGlobalConfig_removesOverride =
    'removeGlobalConfig removes override'
  it(removeGlobalConfig_removesOverride, async () => {
@@ -928,52 +978,6 @@ describe('git-auth-helper tests', () => {
      }
    }
  })
  const testCredentialsConfigPath_matchesCredentialsConfigPaths =
    'testCredentialsConfigPath matches credentials config paths'
  it(testCredentialsConfigPath_matchesCredentialsConfigPaths, async () => {
    // Arrange
    await setup(testCredentialsConfigPath_matchesCredentialsConfigPaths)
    const authHelper = gitAuthHelper.createAuthHelper(git, settings)
    // Get a real credentials config path
    const credentialsConfigPath = await (
      authHelper as any
    ).getCredentialsConfigPath()
    // Act & Assert
    expect(
      (authHelper as any).testCredentialsConfigPath(credentialsConfigPath)
    ).toBe(true)
    expect(
      (authHelper as any).testCredentialsConfigPath(
        '/some/path/git-credentials-12345678-abcd-1234-5678-123456789012.config'
      )
    ).toBe(true)
    expect(
      (authHelper as any).testCredentialsConfigPath(
        '/some/path/git-credentials-abcdef12-3456-7890-abcd-ef1234567890.config'
      )
    ).toBe(true)
    // Test invalid paths
    expect(
      (authHelper as any).testCredentialsConfigPath(
        '/some/path/other-config.config'
      )
    ).toBe(false)
    expect(
      (authHelper as any).testCredentialsConfigPath(
        '/some/path/git-credentials-invalid.config'
      )
    ).toBe(false)
    expect(
      (authHelper as any).testCredentialsConfigPath(
        '/some/path/git-credentials-.config'
      )
    ).toBe(false)
    expect((authHelper as any).testCredentialsConfigPath('')).toBe(false)
  })
 })
 async function setup(testName: string): Promise<void> {
@@ -988,7 +992,6 @@ async function setup(testName: string): Promise<void> {
  await fs.promises.mkdir(tempHomedir, {recursive: true})
  process.env['RUNNER_TEMP'] = runnerTemp
  process.env['HOME'] = tempHomedir
  process.env['GITHUB_WORKSPACE'] = workspace
  // Create git config
  globalGitConfigPath = path.join(tempHomedir, '.gitconfig')
@@ -1007,20 +1010,10 @@ async function setup(testName: string): Promise<void> {
    checkout: jest.fn(),
    checkoutDetach: jest.fn(),
    config: jest.fn(
-      async (
+      async (key: string, value: string, globalConfig?: boolean) => {
-        key: string,
+        const configPath = globalConfig
-        value: string,
+          ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
-        globalConfig?: boolean,
+          : localGitConfigPath
        add?: boolean,
        configFile?: string
      ) => {
        const configPath =
          configFile ||
          (globalConfig
            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
            : localGitConfigPath)
        // Ensure directory exists
        await fs.promises.mkdir(path.dirname(configPath), {recursive: true})
        await fs.promises.appendFile(configPath, `\n${key} ${value}`)
      }
    ),
@@ -1040,7 +1033,6 @@ async function setup(testName: string): Promise<void> {
    env: {},
    fetch: jest.fn(),
    getDefaultBranch: jest.fn(),
    getSubmoduleConfigPaths: jest.fn(async () => []),
    getWorkingDirectory: jest.fn(() => workspace),
    init: jest.fn(),
    isDetached: jest.fn(),
@@ -1079,72 +1071,20 @@ async function setup(testName: string): Promise<void> {
        return true
      }
    ),
    tryConfigUnsetValue: jest.fn(
      async (
        key: string,
        value: string,
        globalConfig?: boolean,
        configPath?: string
      ): Promise<boolean> => {
        const targetConfigPath =
          configPath ||
          (globalConfig
            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
            : localGitConfigPath)
        let content = await fs.promises.readFile(targetConfigPath)
        let lines = content
          .toString()
          .split('\n')
          .filter(x => x)
          .filter(x => !(x.startsWith(key) && x.includes(value)))
        await fs.promises.writeFile(targetConfigPath, lines.join('\n'))
        return true
      }
    ),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(),
-    tryGetConfigValues: jest.fn(
+    getSubmoduleConfigPaths: jest.fn(async () => {
-      async (
+      return []
-        key: string,
+    }),
-        globalConfig?: boolean,
+    tryConfigUnsetValue: jest.fn(async () => {
-        configPath?: string
+      return true
-      ): Promise<string[]> => {
+    }),
-        const targetConfigPath =
+    tryGetConfigValues: jest.fn(async () => {
-          configPath ||
+      return []
-          (globalConfig
+    }),
-            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
+    tryGetConfigKeys: jest.fn(async () => {
-            : localGitConfigPath)
+      return []
-        const content = await fs.promises.readFile(targetConfigPath)
+    }),
        const lines = content
          .toString()
          .split('\n')
          .filter(x => x && x.startsWith(key))
          .map(x => x.substring(key.length).trim())
        return lines
      }
    ),
    tryGetConfigKeys: jest.fn(
      async (
        pattern: string,
        globalConfig?: boolean,
        configPath?: string
      ): Promise<string[]> => {
        const targetConfigPath =
          configPath ||
          (globalConfig
            ? path.join(git.env['HOME'] || tempHomedir, '.gitconfig')
            : localGitConfigPath)
        const content = await fs.promises.readFile(targetConfigPath)
        const lines = content
          .toString()
          .split('\n')
          .filter(x => x)
        const keys = lines
          .filter(x => new RegExp(pattern).test(x.split(' ')[0]))
          .map(x => x.split(' ')[0])
        return [...new Set(keys)] // Remove duplicates
      }
    ),
    tryReset: jest.fn(),
    version: jest.fn()
  }
@@ -1179,7 +1119,6 @@ async function setup(testName: string): Promise<void> {
 async function getActualSshKeyPath(): Promise<string> {
  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
    .sort()
    .map(x => path.join(runnerTemp, x))
  if (actualTempFiles.length === 0) {
@@ -1193,7 +1132,6 @@ async function getActualSshKeyPath(): Promise<string> {
 async function getActualSshKnownHostsPath(): Promise<string> {
  let actualTempFiles = (await fs.promises.readdir(runnerTemp))
    .filter(x => !x.startsWith('git-credentials-')) // Exclude credentials config file
    .sort()
    .map(x => path.join(runnerTemp, x))
  if (actualTempFiles.length === 0) {
--- a/test/git-command-manager.test.ts
+++ b/test/git-command-manager.test.ts
@@ -108,7 +108,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    jest.restoreAllMocks()
  })
-  it('should call execGit with the correct arguments when fetchDepth is 0', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
@@ -122,7 +122,45 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 0
+      fetchDepth: 0,
      fetchTags: true
    }
    await git.fetch(refSpec, options)
    expect(mockExec).toHaveBeenCalledWith(
      expect.any(String),
      [
        '-c',
        'protocol.version=2',
        'fetch',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        'origin',
        'refspec1',
        'refspec2'
      ],
      expect.any(Object)
    )
  })
  it('should call execGit with the correct arguments when fetchDepth is 0 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
      fetchDepth: 0,
      fetchTags: false
    }
    await git.fetch(refSpec, options)
@@ -145,45 +183,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when fetchDepth is 0 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is false', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
    const options = {
      filter: 'filterValue',
      fetchDepth: 0
    }
    await git.fetch(refSpec, options)
    expect(mockExec).toHaveBeenCalledWith(
      expect.any(String),
      [
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        'origin',
        'refspec1',
        'refspec2',
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
  })
  it('should call execGit with the correct arguments when fetchDepth is 1', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -197,7 +197,8 @@ describe('Test fetchDepth and fetchTags options', () => {
    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
      fetchTags: false
    }
    await git.fetch(refSpec, options)
@@ -221,7 +222,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when fetchDepth is 1 and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchDepth is 1 and fetchTags is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -232,10 +233,11 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
-      fetchDepth: 1
+      fetchDepth: 1,
      fetchTags: true
    }
    await git.fetch(refSpec, options)
@@ -246,15 +248,13 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--filter=filterValue',
        '--depth=1',
        'origin',
        'refspec1',
-        'refspec2',
+        'refspec2'
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
@@ -338,7 +338,7 @@ describe('Test fetchDepth and fetchTags options', () => {
    )
  })
-  it('should call execGit with the correct arguments when showProgress is true and refSpec includes tags', async () => {
+  it('should call execGit with the correct arguments when fetchTags is true and showProgress is true', async () => {
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
@@ -349,9 +349,10 @@ describe('Test fetchDepth and fetchTags options', () => {
      lfs,
      doSparseCheckout
    )
-    const refSpec = ['refspec1', 'refspec2', '+refs/tags/*:refs/tags/*']
+    const refSpec = ['refspec1', 'refspec2']
    const options = {
      filter: 'filterValue',
      fetchTags: true,
      showProgress: true
    }
@@ -363,134 +364,15 @@ describe('Test fetchDepth and fetchTags options', () => {
        '-c',
        'protocol.version=2',
        'fetch',
        '--no-tags',
        '--prune',
        '--no-recurse-submodules',
        '--progress',
        '--filter=filterValue',
        'origin',
        'refspec1',
-        'refspec2',
+        'refspec2'
        '+refs/tags/*:refs/tags/*'
      ],
      expect.any(Object)
    )
  })
 })
 describe('git user-agent with orchestration ID', () => {
  beforeEach(async () => {
    jest.spyOn(fshelper, 'fileExistsSync').mockImplementation(jest.fn())
    jest.spyOn(fshelper, 'directoryExistsSync').mockImplementation(jest.fn())
  })
  afterEach(() => {
    jest.restoreAllMocks()
    // Clean up environment variable to prevent test pollution
    delete process.env['ACTIONS_ORCHESTRATION_ID']
  })
  it('should include orchestration ID in user-agent when ACTIONS_ORCHESTRATION_ID is set', async () => {
    const orchId = 'test-orch-id-12345'
    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent includes the orchestration ID
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      `git/2.18 (github-actions-checkout) actions_orchestration_id/${orchId}`
    )
  })
  it('should sanitize invalid characters in orchestration ID', async () => {
    const orchId = 'test (with) special/chars'
    process.env['ACTIONS_ORCHESTRATION_ID'] = orchId
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent has sanitized orchestration ID (spaces, parentheses, slash replaced)
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      'git/2.18 (github-actions-checkout) actions_orchestration_id/test__with__special_chars'
    )
  })
  it('should not modify user-agent when ACTIONS_ORCHESTRATION_ID is not set', async () => {
    delete process.env['ACTIONS_ORCHESTRATION_ID']
    let capturedEnv: any = null
    mockExec.mockImplementation((path, args, options) => {
      if (args.includes('version')) {
        options.listeners.stdout(Buffer.from('2.18'))
      }
      // Capture env on any command
      capturedEnv = options.env
      return 0
    })
    jest.spyOn(exec, 'exec').mockImplementation(mockExec)
    const workingDirectory = 'test'
    const lfs = false
    const doSparseCheckout = false
    git = await commandManager.createCommandManager(
      workingDirectory,
      lfs,
      doSparseCheckout
    )
    // Call a git command to trigger env capture after user-agent is set
    await git.init()
    // Verify the user agent does NOT contain orchestration ID
    expect(git).toBeDefined()
    expect(capturedEnv).toBeDefined()
    expect(capturedEnv['GIT_HTTP_USER_AGENT']).toBe(
      'git/2.18 (github-actions-checkout)'
    )
  })
 })
--- a/test/git-directory-helper.test.ts
+++ b/test/git-directory-helper.test.ts
@@ -471,7 +471,6 @@ async function setup(testName: string): Promise<void> {
    configExists: jest.fn(),
    fetch: jest.fn(),
    getDefaultBranch: jest.fn(),
    getSubmoduleConfigPaths: jest.fn(async () => []),
    getWorkingDirectory: jest.fn(() => repositoryPath),
    init: jest.fn(),
    isDetached: jest.fn(),
@@ -494,15 +493,24 @@ async function setup(testName: string): Promise<void> {
      return true
    }),
    tryConfigUnset: jest.fn(),
    tryConfigUnsetValue: jest.fn(),
    tryDisableAutomaticGarbageCollection: jest.fn(),
    tryGetFetchUrl: jest.fn(async () => {
      // Sanity check - this function shouldn't be called when the .git directory doesn't exist
      await fs.promises.stat(path.join(repositoryPath, '.git'))
      return repositoryUrl
    }),
-    tryGetConfigValues: jest.fn(),
+    getSubmoduleConfigPaths: jest.fn(async () => {
-    tryGetConfigKeys: jest.fn(),
+      return []
    }),
    tryConfigUnsetValue: jest.fn(async () => {
      return true
    }),
    tryGetConfigValues: jest.fn(async () => {
      return []
    }),
    tryGetConfigKeys: jest.fn(async () => {
      return []
    }),
    tryReset: jest.fn(async () => {
      return true
    }),
--- a/test/ref-helper.test.ts
+++ b/test/ref-helper.test.ts
@@ -152,22 +152,7 @@ describe('ref-helper tests', () => {
  it('getRefSpec sha + refs/tags/', async () => {
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit)
    expect(refSpec.length).toBe(1)
-    expect(refSpec[0]).toBe(`+refs/tags/my-tag:refs/tags/my-tag`)
+    expect(refSpec[0]).toBe(`+${commit}:refs/tags/my-tag`)
  })
  it('getRefSpec sha + refs/tags/ with fetchTags', async () => {
    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', commit, true)
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
  })
  it('getRefSpec sha + refs/heads/ with fetchTags', async () => {
    // When fetchTags is true, include both the branch refspec and tags wildcard
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', commit, true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe(`+${commit}:refs/remotes/origin/my/branch`)
  })
  it('getRefSpec sha only', async () => {
@@ -183,14 +168,6 @@ describe('ref-helper tests', () => {
    expect(refSpec[1]).toBe('+refs/tags/my-ref*:refs/tags/my-ref*')
  })
  it('getRefSpec unqualified ref only with fetchTags', async () => {
    // When fetchTags is true, skip specific tag pattern since wildcard covers all
    const refSpec = refHelper.getRefSpec('my-ref', '', true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe('+refs/heads/my-ref*:refs/remotes/origin/my-ref*')
  })
  it('getRefSpec refs/heads/ only', async () => {
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '')
    expect(refSpec.length).toBe(1)
@@ -210,21 +187,4 @@ describe('ref-helper tests', () => {
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/my-tag:refs/tags/my-tag')
  })
  it('getRefSpec refs/tags/ only with fetchTags', async () => {
    // When fetchTags is true, only include tags wildcard (specific tag is redundant)
    const refSpec = refHelper.getRefSpec('refs/tags/my-tag', '', true)
    expect(refSpec.length).toBe(1)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
  })
  it('getRefSpec refs/heads/ only with fetchTags', async () => {
    // When fetchTags is true, include both the branch refspec and tags wildcard
    const refSpec = refHelper.getRefSpec('refs/heads/my/branch', '', true)
    expect(refSpec.length).toBe(2)
    expect(refSpec[0]).toBe('+refs/tags/*:refs/tags/*')
    expect(refSpec[1]).toBe(
      '+refs/heads/my/branch:refs/remotes/origin/my/branch'
    )
  })
 })
--- a/test/verify-fetch-tags.sh
+++ b/test/verify-fetch-tags.sh
@@ -1,9 +0,0 @@
 #!/bin/sh
 # Verify tags were fetched
 TAG_COUNT=$(git -C ./fetch-tags-test tag | wc -l)
 if [ "$TAG_COUNT" -eq 0 ]; then
    echo "Expected tags to be fetched, but found none"
    exit 1
 fi
 echo "Found $TAG_COUNT tags"
--- a/test/verify-submodules-recursive.sh
+++ b/test/verify-submodules-recursive.sh
@@ -17,7 +17,7 @@ fi
 echo "Testing persisted credential"
 pushd ./submodules-recursive/submodule-level-1/submodule-level-2
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
    echo "Failed to validate persisted credential"
    popd
--- a/test/verify-submodules-true.sh
+++ b/test/verify-submodules-true.sh
@@ -17,7 +17,7 @@ fi
 echo "Testing persisted credential"
 pushd ./submodules-true/submodule-level-1
-git config --local --includes --name-only --get-regexp http.+extraheader && git fetch
+git config --local --name-only --get-regexp http.+extraheader && git fetch
 if [ "$?" != "0" ]; then
    echo "Failed to validate persisted credential"
    popd
--- a/test/verify-worktree.sh
+++ b/test/verify-worktree.sh
@@ -1,51 +0,0 @@
 #!/bin/bash
 set -e
 # Verify worktree credentials
 # This test verifies that git credentials work in worktrees created after checkout
 # Usage: verify-worktree.sh <checkout-path> <worktree-name>
 CHECKOUT_PATH="$1"
 WORKTREE_NAME="$2"
 if [ -z "$CHECKOUT_PATH" ] || [ -z "$WORKTREE_NAME" ]; then
  echo "Usage: verify-worktree.sh <checkout-path> <worktree-name>"
  exit 1
 fi
 cd "$CHECKOUT_PATH"
 # Add safe directory for container environments
 git config --global --add safe.directory "*" 2>/dev/null || true
 # Show the includeIf configuration
 echo "Git config includeIf entries:"
 git config --list --show-origin | grep -i include || true
 # Create the worktree
 echo "Creating worktree..."
 git worktree add "../$WORKTREE_NAME" HEAD --detach
 # Change to worktree directory
 cd "../$WORKTREE_NAME"
 # Verify we're in a worktree
 echo "Verifying worktree gitdir:"
 cat .git
 # Verify credentials are available in worktree by checking extraheader is configured
 echo "Checking credentials in worktree..."
 if git config --list --show-origin | grep -q "extraheader"; then
  echo "Credentials are configured in worktree"
 else
  echo "ERROR: Credentials are NOT configured in worktree"
  echo "Full git config:"
  git config --list --show-origin
  exit 1
 fi
 # Verify fetch works in the worktree
 echo "Fetching in worktree..."
 git fetch origin
 echo "Worktree credentials test passed!"
--- a/dist/index.js
+++ b/dist/index.js
@@ -162,7 +162,6 @@ class GitAuthHelper {
        this.sshKeyPath = '';
        this.sshKnownHostsPath = '';
        this.temporaryHomePath = '';
        this.credentialsConfigPath = ''; // Path to separate credentials config file in RUNNER_TEMP
        this.git = gitCommandManager;
        this.settings = gitSourceSettings || {};
        // Token auth header
@@ -230,17 +229,15 @@ class GitAuthHelper {
    configureGlobalAuth() {
        return __awaiter(this, void 0, void 0, function* () {
            // 'configureTempGlobalConfig' noops if already set, just returns the path
-            yield this.configureTempGlobalConfig();
+            const newGitConfigPath = yield this.configureTempGlobalConfig();
            try {
                // Configure the token
-                yield this.configureToken(true);
+                yield this.configureToken(newGitConfigPath, true);
                // Configure HTTPS instead of SSH
                yield this.git.tryConfigUnset(this.insteadOfKey, true);
                if (!this.settings.sshKey) {
                    for (const insteadOfValue of this.insteadOfValues) {
-                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, // globalConfig?
+                        yield this.git.config(this.insteadOfKey, insteadOfValue, true, true);
                        true // add?
                        );
                    }
                }
            }
@@ -255,34 +252,19 @@ class GitAuthHelper {
    configureSubmoduleAuth() {
        return __awaiter(this, void 0, void 0, function* () {
            // Remove possible previous HTTPS instead of SSH
-            yield this.removeSubmoduleGitConfig(this.insteadOfKey);
+            yield this.removeGitConfig(this.insteadOfKey, true);
            if (this.settings.persistCredentials) {
-                // Get the credentials config file path in RUNNER_TEMP
+                // Configure a placeholder value. This approach avoids the credential being captured
-                const credentialsConfigPath = this.getCredentialsConfigPath();
+                // by process creation audit events, which are commonly logged. For more information,
-                // Container credentials config path
+                // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
+                const output = yield this.git.submoduleForeach(
-                // Get submodule config file paths.
+                // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-                const configPaths = yield this.git.getSubmoduleConfigPaths(this.settings.nestedSubmodules);
+                `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`, this.settings.nestedSubmodules);
-                // For each submodule, configure includeIf entries pointing to the shared credentials file.
+                // Replace the placeholder
-                // Configure both host and container paths to support Docker container actions.
+                const configPaths = output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || [];
                for (const configPath of configPaths) {
-                    // Submodule Git directory
+                    core.debug(`Replacing token placeholder in '${configPath}'`);
-                    let submoduleGitDir = path.dirname(configPath); // The config file is at .git/modules/submodule-name/config
+                    yield this.replaceTokenPlaceholder(configPath);
                    submoduleGitDir = submoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    // Configure host includeIf
                    yield this.git.config(`includeIf.gitdir:${submoduleGitDir}.path`, credentialsConfigPath, false, // globalConfig?
                    false, // add?
                    configPath);
                    // Container submodule git directory
                    const githubWorkspace = process.env['GITHUB_WORKSPACE'];
                    assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
                    let relativeSubmoduleGitDir = path.relative(githubWorkspace, submoduleGitDir);
                    relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                    const containerSubmoduleGitDir = path.posix.join('/github/workspace', relativeSubmoduleGitDir);
                    // Configure container includeIf
                    yield this.git.config(`includeIf.gitdir:${containerSubmoduleGitDir}.path`, containerCredentialsPath, false, // globalConfig?
                    false, // add?
                    configPath);
                }
                if (this.settings.sshKey) {
                    // Configure core.sshCommand
@@ -313,10 +295,6 @@ class GitAuthHelper {
            }
        });
    }
    /**
     * Configures SSH authentication by writing the SSH key and known hosts,
     * and setting up the GIT_SSH_COMMAND environment variable.
     */
    configureSsh() {
        return __awaiter(this, void 0, void 0, function* () {
            if (!this.settings.sshKey) {
@@ -373,94 +351,43 @@ class GitAuthHelper {
            }
        });
    }
-    /**
+    configureToken(configPath, globalConfig) {
     * Configures token-based authentication by creating a credentials config file
     * and setting up includeIf entries to reference it.
     * @param globalConfig Whether to configure global config instead of local
     */
    configureToken(globalConfig) {
        return __awaiter(this, void 0, void 0, function* () {
-            // Get the credentials config file path in RUNNER_TEMP
+            // Validate args
-            const credentialsConfigPath = this.getCredentialsConfigPath();
+            assert.ok((configPath && globalConfig) || (!configPath && !globalConfig), 'Unexpected configureToken parameter combinations');
-            // Write placeholder to the separate credentials config file using git config.
+            // Default config path
-            // This approach avoids the credential being captured by process creation audit events,
+            if (!configPath && !globalConfig) {
-            // which are commonly logged. For more information, refer to
+                configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config');
-            // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+            }
-            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, false, // globalConfig?
+            // Configure a placeholder value. This approach avoids the credential being captured
-            false, // add?
+            // by process creation audit events, which are commonly logged. For more information,
-            credentialsConfigPath);
+            // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-            // Replace the placeholder in the credentials config file
+            yield this.git.config(this.tokenConfigKey, this.tokenPlaceholderConfigValue, globalConfig);
-            let content = (yield fs.promises.readFile(credentialsConfigPath)).toString();
+            // Replace the placeholder
            yield this.replaceTokenPlaceholder(configPath || '');
        });
    }
    replaceTokenPlaceholder(configPath) {
        return __awaiter(this, void 0, void 0, function* () {
            assert.ok(configPath, 'configPath is not defined');
            let content = (yield fs.promises.readFile(configPath)).toString();
            const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue);
            if (placeholderIndex < 0 ||
                placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)) {
-                throw new Error(`Unable to replace auth placeholder in ${credentialsConfigPath}`);
+                throw new Error(`Unable to replace auth placeholder in ${configPath}`);
            }
            assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined');
            content = content.replace(this.tokenPlaceholderConfigValue, this.tokenConfigValue);
-            yield fs.promises.writeFile(credentialsConfigPath, content);
+            yield fs.promises.writeFile(configPath, content);
            // Add include or includeIf to reference the credentials config
            if (globalConfig) {
                // Global config file is temporary
                yield this.git.config('include.path', credentialsConfigPath, true // globalConfig?
                );
            }
            else {
                // Host git directory
                let gitDir = path.join(this.git.getWorkingDirectory(), '.git');
                gitDir = gitDir.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                // Configure host includeIf
                const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`;
                yield this.git.config(hostIncludeKey, credentialsConfigPath);
                // Configure host includeIf for worktrees
                const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`;
                yield this.git.config(hostWorktreeIncludeKey, credentialsConfigPath);
                // Container git directory
                const workingDirectory = this.git.getWorkingDirectory();
                const githubWorkspace = process.env['GITHUB_WORKSPACE'];
                assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined');
                let relativePath = path.relative(githubWorkspace, workingDirectory);
                relativePath = relativePath.replace(/\\/g, '/'); // Use forward slashes, even on Windows
                const containerGitDir = path.posix.join('/github/workspace', relativePath, '.git');
                // Container credentials config path
                const containerCredentialsPath = path.posix.join('/github/runner_temp', path.basename(credentialsConfigPath));
                // Configure container includeIf
                const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`;
                yield this.git.config(containerIncludeKey, containerCredentialsPath);
                // Configure container includeIf for worktrees
                const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`;
                yield this.git.config(containerWorktreeIncludeKey, containerCredentialsPath);
            }
        });
    }
    /**
     * Gets or creates the path to the credentials config file in RUNNER_TEMP.
     * @returns The absolute path to the credentials config file
     */
    getCredentialsConfigPath() {
        if (this.credentialsConfigPath) {
            return this.credentialsConfigPath;
        }
        const runnerTemp = process.env['RUNNER_TEMP'] || '';
        assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
        // Create a unique filename for this checkout instance
        const configFileName = `git-credentials-${(0, uuid_1.v4)()}.config`;
        this.credentialsConfigPath = path.join(runnerTemp, configFileName);
        core.debug(`Credentials config path: ${this.credentialsConfigPath}`);
        return this.credentialsConfigPath;
    }
    /**
     * Removes SSH authentication configuration by cleaning up SSH keys,
     * known hosts files, and SSH command configurations.
     */
    removeSsh() {
        return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b;
+            var _a;
            // SSH key
            const keyPath = this.sshKeyPath || stateHelper.SshKeyPath;
            if (keyPath) {
                try {
                    core.info(`Removing SSH key '${keyPath}'`);
                    yield io.rmRF(keyPath);
                }
                catch (err) {
@@ -472,91 +399,82 @@ class GitAuthHelper {
            const knownHostsPath = this.sshKnownHostsPath || stateHelper.SshKnownHostsPath;
            if (knownHostsPath) {
                try {
                    core.info(`Removing SSH known hosts '${knownHostsPath}'`);
                    yield io.rmRF(knownHostsPath);
                }
-                catch (err) {
+                catch (_b) {
-                    core.debug(`${(_b = err === null || err === void 0 ? void 0 : err.message) !== null && _b !== void 0 ? _b : err}`);
+                    // Intentionally empty
                    core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`);
                }
            }
            // SSH command
            core.info('Removing SSH command configuration');
            yield this.removeGitConfig(SSH_COMMAND_KEY);
            yield this.removeSubmoduleGitConfig(SSH_COMMAND_KEY);
        });
    }
    /**
     * Removes token-based authentication by cleaning up HTTP headers,
     * includeIf entries, and credentials config files.
     */
    removeToken() {
        return __awaiter(this, void 0, void 0, function* () {
-            var _a;
+            // Remove HTTP extra header from local git config and submodule configs
            // Remove HTTP extra header
            core.info('Removing HTTP extra header');
            yield this.removeGitConfig(this.tokenConfigKey);
-            yield this.removeSubmoduleGitConfig(this.tokenConfigKey);
+            //
-            // Collect credentials config paths that need to be removed
+            // Cleanup actions/checkout@v6 style credentials
-            const credentialsPaths = new Set();
+            //
-            // Remove includeIf entries that point to git-credentials-*.config files
+            const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'];
-            core.info('Removing includeIf entries pointing to credentials config files');
+            if (skipV6Cleanup === '1' || (skipV6Cleanup === null || skipV6Cleanup === void 0 ? void 0 : skipV6Cleanup.toLowerCase()) === 'true') {
-            const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
+                core.debug('Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP');
-            mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
+                return;
            // Remove submodule includeIf entries that point to git-credentials-*.config files
            const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
            for (const configPath of submoduleConfigPaths) {
                const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
                submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
            }
-            // Remove credentials config files
+            try {
-            for (const credentialsPath of credentialsPaths) {
+                // Collect credentials config paths that need to be removed
-                // Only remove credentials config files if they are under RUNNER_TEMP
+                const credentialsPaths = new Set();
-                const runnerTemp = process.env['RUNNER_TEMP'];
+                // Remove includeIf entries that point to git-credentials-*.config files
-                assert.ok(runnerTemp, 'RUNNER_TEMP is not defined');
+                const mainCredentialsPaths = yield this.removeIncludeIfCredentials();
-                if (credentialsPath.startsWith(runnerTemp)) {
+                mainCredentialsPaths.forEach(path => credentialsPaths.add(path));
-                    try {
+                // Remove submodule includeIf entries that point to git-credentials-*.config files
-                        core.info(`Removing credentials config '${credentialsPath}'`);
+                try {
-                        yield io.rmRF(credentialsPath);
+                    const submoduleConfigPaths = yield this.git.getSubmoduleConfigPaths(true);
-                    }
+                    for (const configPath of submoduleConfigPaths) {
-                    catch (err) {
+                        const submoduleCredentialsPaths = yield this.removeIncludeIfCredentials(configPath);
-                        core.debug(`${(_a = err === null || err === void 0 ? void 0 : err.message) !== null && _a !== void 0 ? _a : err}`);
+                        submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path));
                        core.warning(`Failed to remove credentials config '${credentialsPath}'`);
                    }
                }
-                else {
+                catch (err) {
-                    core.debug(`Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`);
+                    core.debug(`Unable to get submodule config paths: ${err}`);
                }
                // Remove credentials config files
                for (const credentialsPath of credentialsPaths) {
                    // Only remove credentials config files if they are under RUNNER_TEMP
                    const runnerTemp = process.env['RUNNER_TEMP'];
                    if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
                        try {
                            yield io.rmRF(credentialsPath);
                        }
                        catch (err) {
                            core.debug(`Failed to remove credentials config '${credentialsPath}': ${err}`);
                        }
                    }
                }
            }
            catch (err) {
                core.debug(`Failed to cleanup v6 style credentials: ${err}`);
            }
        });
    }
-    /**
+    removeGitConfig(configKey_1) {
-     * Removes a git config key from the local repository config.
+        return __awaiter(this, arguments, void 0, function* (configKey, submoduleOnly = false) {
-     * @param configKey The git config key to remove
+            if (!submoduleOnly) {
-     */
+                if ((yield this.git.configExists(configKey)) &&
-    removeGitConfig(configKey) {
+                    !(yield this.git.tryConfigUnset(configKey))) {
-        return __awaiter(this, void 0, void 0, function* () {
+                    // Load the config contents
-            if ((yield this.git.configExists(configKey)) &&
+                    core.warning(`Failed to remove '${configKey}' from the git config`);
-                !(yield this.git.tryConfigUnset(configKey))) {
+                }
                // Load the config contents
                core.warning(`Failed to remove '${configKey}' from the git config`);
            }
        });
    }
    /**
     * Removes a git config key from all submodule configs.
     * @param configKey The git config key to remove
     */
    removeSubmoduleGitConfig(configKey) {
        return __awaiter(this, void 0, void 0, function* () {
            const pattern = regexpHelper.escape(configKey);
            yield this.git.submoduleForeach(
-            // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
+            // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
            `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`, true);
        });
    }
    /**
     * Removes includeIf entries that point to git-credentials-*.config files.
     * This handles cleanup of credentials configured by newer versions of the action.
     * @param configPath Optional path to a specific git config file to operate on
     * @returns Array of unique credentials config file paths that were found and removed
     */
@@ -584,18 +502,13 @@ class GitAuthHelper {
            }
            catch (err) {
                // Ignore errors - this is cleanup code
-                if (configPath) {
+                core.debug(`Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`);
                    core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`);
                }
                else {
                    core.debug(`Error during includeIf cleanup: ${err}`);
                }
            }
            return Array.from(credentialsPaths);
        });
    }
    /**
-     * Tests if a path matches the git-credentials-*.config pattern.
+     * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
     * @param path The path to test
     * @returns True if the path matches the credentials config pattern
     */
@@ -653,6 +566,7 @@ const fs = __importStar(__nccwpck_require__(7147));
 const fshelper = __importStar(__nccwpck_require__(7219));
 const io = __importStar(__nccwpck_require__(7436));
 const path = __importStar(__nccwpck_require__(1017));
 const refHelper = __importStar(__nccwpck_require__(8601));
 const regexpHelper = __importStar(__nccwpck_require__(3120));
 const retryHelper = __importStar(__nccwpck_require__(2155));
 const git_version_1 = __nccwpck_require__(3142);
@@ -798,15 +712,9 @@ class GitCommandManager {
            yield this.execGit(args);
        });
    }
-    config(configKey, configValue, globalConfig, add, configFile) {
+    config(configKey, configValue, globalConfig, add) {
        return __awaiter(this, void 0, void 0, function* () {
-            const args = ['config'];
+            const args = ['config', globalConfig ? '--global' : '--local'];
            if (configFile) {
                args.push('--file', configFile);
            }
            else {
                args.push(globalConfig ? '--global' : '--local');
            }
            if (add) {
                args.push('--add');
            }
@@ -830,9 +738,9 @@ class GitCommandManager {
    fetch(refSpec, options) {
        return __awaiter(this, void 0, void 0, function* () {
            const args = ['-c', 'protocol.version=2', 'fetch'];
-            // Always use --no-tags for explicit control over tag fetching
+            if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-            // Tags are fetched explicitly via refspec when needed
+                args.push('--no-tags');
-            args.push('--no-tags');
+            }
            args.push('--prune', '--no-recurse-submodules');
            if (options.showProgress) {
                args.push('--progress');
@@ -1205,17 +1113,7 @@ class GitCommandManager {
                }
            }
            // Set the user agent
-            let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
+            const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`;
            // Append orchestration ID if set
            const orchId = process.env['ACTIONS_ORCHESTRATION_ID'];
            if (orchId) {
                // Sanitize the orchestration ID to ensure it contains only valid characters
                // Valid characters: 0-9, a-z, _, -, .
                const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_');
                if (sanitizedId) {
                    gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`;
                }
            }
            core.debug(`Set git useragent to: ${gitHttpUserAgent}`);
            this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent;
        });
@@ -1538,26 +1436,13 @@ function getSource(settings) {
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                    yield git.fetch(refSpec, fetchOptions);
                    // Verify the ref now matches. For branches, the targeted fetch above brings
                    // in the specific commit. For tags (fetched by ref), this will fail if
                    // the tag was moved after the workflow was triggered.
                    if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                        throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
                            `The ref may have been updated after the workflow was triggered.`);
                    }
                }
            }
            else {
                fetchOptions.fetchDepth = settings.fetchDepth;
-                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit, settings.fetchTags);
+                fetchOptions.fetchTags = settings.fetchTags;
                const refSpec = refHelper.getRefSpec(settings.ref, settings.commit);
                yield git.fetch(refSpec, fetchOptions);
                // For tags, verify the ref still points to the expected commit.
                // Tags are fetched by ref (not commit), so if a tag was moved after the
                // workflow was triggered, we would silently check out the wrong commit.
                if (!(yield refHelper.testRef(git, settings.ref, settings.commit))) {
                    throw new Error(`The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
                        `The ref may have been updated after the workflow was triggered.`);
                }
            }
            core.endGroup();
            // Checkout info
@@ -2296,67 +2181,53 @@ function getRefSpecForAllHistory(ref, commit) {
    }
    return result;
 }
-function getRefSpec(ref, commit, fetchTags) {
+function getRefSpec(ref, commit) {
    if (!ref && !commit) {
        throw new Error('Args ref and commit cannot both be empty');
    }
    const upperRef = (ref || '').toUpperCase();
    const result = [];
    // When fetchTags is true, always include the tags refspec
    if (fetchTags) {
        result.push(exports.tagsRefSpec);
    }
    // SHA
    if (commit) {
        // refs/heads
        if (upperRef.startsWith('REFS/HEADS/')) {
            const branch = ref.substring('refs/heads/'.length);
-            result.push(`+${commit}:refs/remotes/origin/${branch}`);
+            return [`+${commit}:refs/remotes/origin/${branch}`];
        }
        // refs/pull/
        else if (upperRef.startsWith('REFS/PULL/')) {
            const branch = ref.substring('refs/pull/'.length);
-            result.push(`+${commit}:refs/remotes/pull/${branch}`);
+            return [`+${commit}:refs/remotes/pull/${branch}`];
        }
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
-            if (!fetchTags) {
+            return [`+${commit}:${ref}`];
                result.push(`+${ref}:${ref}`);
            }
        }
        // Otherwise no destination ref
        else {
-            result.push(commit);
+            return [commit];
        }
    }
    // Unqualified ref, check for a matching branch or tag
    else if (!upperRef.startsWith('REFS/')) {
-        result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`);
+        return [
-        if (!fetchTags) {
+            `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-            result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`);
+            `+refs/tags/${ref}*:refs/tags/${ref}*`
-        }
+        ];
    }
    // refs/heads/
    else if (upperRef.startsWith('REFS/HEADS/')) {
        const branch = ref.substring('refs/heads/'.length);
-        result.push(`+${ref}:refs/remotes/origin/${branch}`);
+        return [`+${ref}:refs/remotes/origin/${branch}`];
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
        const branch = ref.substring('refs/pull/'.length);
-        result.push(`+${ref}:refs/remotes/pull/${branch}`);
+        return [`+${ref}:refs/remotes/pull/${branch}`];
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
        if (!fetchTags) {
            result.push(`+${ref}:${ref}`);
        }
    }
    // Other refs
    else {
-        result.push(`+${ref}:${ref}`);
+        return [`+${ref}:${ref}`];
    }
    return result;
 }
 /**
 * Tests whether the initial fetch created the ref at the expected commit
@@ -2392,9 +2263,7 @@ function testRef(git, ref, commit) {
        // refs/tags/
        else if (upperRef.startsWith('REFS/TAGS/')) {
            const tagName = ref.substring('refs/tags/'.length);
-            // Use ^{commit} to dereference annotated tags to their underlying commit
+            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
            return ((yield git.tagExists(tagName)) &&
                commit === (yield git.revParse(`${ref}^{commit}`)));
        }
        // Unexpected
        else {
--- a/src/git-auth-helper.ts
+++ b/src/git-auth-helper.ts
@@ -43,7 +43,6 @@ class GitAuthHelper {
  private sshKeyPath = ''
  private sshKnownHostsPath = ''
  private temporaryHomePath = ''
  private credentialsConfigPath = '' // Path to separate credentials config file in RUNNER_TEMP
  constructor(
    gitCommandManager: IGitCommandManager,
@@ -127,21 +126,16 @@ class GitAuthHelper {
  async configureGlobalAuth(): Promise<void> {
    // 'configureTempGlobalConfig' noops if already set, just returns the path
-    await this.configureTempGlobalConfig()
+    const newGitConfigPath = await this.configureTempGlobalConfig()
    try {
      // Configure the token
-      await this.configureToken(true)
+      await this.configureToken(newGitConfigPath, true)
      // Configure HTTPS instead of SSH
      await this.git.tryConfigUnset(this.insteadOfKey, true)
      if (!this.settings.sshKey) {
        for (const insteadOfValue of this.insteadOfValues) {
-          await this.git.config(
+          await this.git.config(this.insteadOfKey, insteadOfValue, true, true)
            this.insteadOfKey,
            insteadOfValue,
            true, // globalConfig?
            true // add?
          )
        }
      }
    } catch (err) {
@@ -156,60 +150,24 @@ class GitAuthHelper {
  async configureSubmoduleAuth(): Promise<void> {
    // Remove possible previous HTTPS instead of SSH
-    await this.removeSubmoduleGitConfig(this.insteadOfKey)
+    await this.removeGitConfig(this.insteadOfKey, true)
    if (this.settings.persistCredentials) {
-      // Get the credentials config file path in RUNNER_TEMP
+      // Configure a placeholder value. This approach avoids the credential being captured
-      const credentialsConfigPath = this.getCredentialsConfigPath()
+      // by process creation audit events, which are commonly logged. For more information,
-
+      // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
-      // Container credentials config path
+      const output = await this.git.submoduleForeach(
-      const containerCredentialsPath = path.posix.join(
+        // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
-        '/github/runner_temp',
+        `sh -c "git config --local '${this.tokenConfigKey}' '${this.tokenPlaceholderConfigValue}' && git config --local --show-origin --name-only --get-regexp remote.origin.url"`,
        path.basename(credentialsConfigPath)
      )
      // Get submodule config file paths.
      const configPaths = await this.git.getSubmoduleConfigPaths(
        this.settings.nestedSubmodules
      )
-      // For each submodule, configure includeIf entries pointing to the shared credentials file.
+      // Replace the placeholder
-      // Configure both host and container paths to support Docker container actions.
+      const configPaths: string[] =
        output.match(/(?<=(^|\n)file:)[^\t]+(?=\tremote\.origin\.url)/g) || []
      for (const configPath of configPaths) {
-        // Submodule Git directory
+        core.debug(`Replacing token placeholder in '${configPath}'`)
-        let submoduleGitDir = path.dirname(configPath) // The config file is at .git/modules/submodule-name/config
+        await this.replaceTokenPlaceholder(configPath)
        submoduleGitDir = submoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
        // Configure host includeIf
        await this.git.config(
          `includeIf.gitdir:${submoduleGitDir}.path`,
          credentialsConfigPath,
          false, // globalConfig?
          false, // add?
          configPath
        )
        // Container submodule git directory
        const githubWorkspace = process.env['GITHUB_WORKSPACE']
        assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
        let relativeSubmoduleGitDir = path.relative(
          githubWorkspace,
          submoduleGitDir
        )
        relativeSubmoduleGitDir = relativeSubmoduleGitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
        const containerSubmoduleGitDir = path.posix.join(
          '/github/workspace',
          relativeSubmoduleGitDir
        )
        // Configure container includeIf
        await this.git.config(
          `includeIf.gitdir:${containerSubmoduleGitDir}.path`,
          containerCredentialsPath,
          false, // globalConfig?
          false, // add?
          configPath
        )
      }
      if (this.settings.sshKey) {
@@ -243,10 +201,6 @@ class GitAuthHelper {
    }
  }
  /**
   * Configures SSH authentication by writing the SSH key and known hosts,
   * and setting up the GIT_SSH_COMMAND environment variable.
   */
  private async configureSsh(): Promise<void> {
    if (!this.settings.sshKey) {
      return
@@ -318,127 +272,57 @@ class GitAuthHelper {
    }
  }
-  /**
+  private async configureToken(
-   * Configures token-based authentication by creating a credentials config file
+    configPath?: string,
-   * and setting up includeIf entries to reference it.
+    globalConfig?: boolean
-   * @param globalConfig Whether to configure global config instead of local
+  ): Promise<void> {
-   */
+    // Validate args
-  private async configureToken(globalConfig?: boolean): Promise<void> {
+    assert.ok(
-    // Get the credentials config file path in RUNNER_TEMP
+      (configPath && globalConfig) || (!configPath && !globalConfig),
-    const credentialsConfigPath = this.getCredentialsConfigPath()
+      'Unexpected configureToken parameter combinations'
    )
-    // Write placeholder to the separate credentials config file using git config.
+    // Default config path
-    // This approach avoids the credential being captured by process creation audit events,
+    if (!configPath && !globalConfig) {
-    // which are commonly logged. For more information, refer to
+      configPath = path.join(this.git.getWorkingDirectory(), '.git', 'config')
-    // https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
+    }
    // Configure a placeholder value. This approach avoids the credential being captured
    // by process creation audit events, which are commonly logged. For more information,
    // refer to https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
    await this.git.config(
      this.tokenConfigKey,
      this.tokenPlaceholderConfigValue,
-      false, // globalConfig?
+      globalConfig
      false, // add?
      credentialsConfigPath
    )
-    // Replace the placeholder in the credentials config file
+    // Replace the placeholder
-    let content = (await fs.promises.readFile(credentialsConfigPath)).toString()
+    await this.replaceTokenPlaceholder(configPath || '')
  }
  private async replaceTokenPlaceholder(configPath: string): Promise<void> {
    assert.ok(configPath, 'configPath is not defined')
    let content = (await fs.promises.readFile(configPath)).toString()
    const placeholderIndex = content.indexOf(this.tokenPlaceholderConfigValue)
    if (
      placeholderIndex < 0 ||
      placeholderIndex != content.lastIndexOf(this.tokenPlaceholderConfigValue)
    ) {
-      throw new Error(
+      throw new Error(`Unable to replace auth placeholder in ${configPath}`)
        `Unable to replace auth placeholder in ${credentialsConfigPath}`
      )
    }
    assert.ok(this.tokenConfigValue, 'tokenConfigValue is not defined')
    content = content.replace(
      this.tokenPlaceholderConfigValue,
      this.tokenConfigValue
    )
-    await fs.promises.writeFile(credentialsConfigPath, content)
+    await fs.promises.writeFile(configPath, content)
    // Add include or includeIf to reference the credentials config
    if (globalConfig) {
      // Global config file is temporary
      await this.git.config(
        'include.path',
        credentialsConfigPath,
        true // globalConfig?
      )
    } else {
      // Host git directory
      let gitDir = path.join(this.git.getWorkingDirectory(), '.git')
      gitDir = gitDir.replace(/\\/g, '/') // Use forward slashes, even on Windows
      // Configure host includeIf
      const hostIncludeKey = `includeIf.gitdir:${gitDir}.path`
      await this.git.config(hostIncludeKey, credentialsConfigPath)
      // Configure host includeIf for worktrees
      const hostWorktreeIncludeKey = `includeIf.gitdir:${gitDir}/worktrees/*.path`
      await this.git.config(hostWorktreeIncludeKey, credentialsConfigPath)
      // Container git directory
      const workingDirectory = this.git.getWorkingDirectory()
      const githubWorkspace = process.env['GITHUB_WORKSPACE']
      assert.ok(githubWorkspace, 'GITHUB_WORKSPACE is not defined')
      let relativePath = path.relative(githubWorkspace, workingDirectory)
      relativePath = relativePath.replace(/\\/g, '/') // Use forward slashes, even on Windows
      const containerGitDir = path.posix.join(
        '/github/workspace',
        relativePath,
        '.git'
      )
      // Container credentials config path
      const containerCredentialsPath = path.posix.join(
        '/github/runner_temp',
        path.basename(credentialsConfigPath)
      )
      // Configure container includeIf
      const containerIncludeKey = `includeIf.gitdir:${containerGitDir}.path`
      await this.git.config(containerIncludeKey, containerCredentialsPath)
      // Configure container includeIf for worktrees
      const containerWorktreeIncludeKey = `includeIf.gitdir:${containerGitDir}/worktrees/*.path`
      await this.git.config(
        containerWorktreeIncludeKey,
        containerCredentialsPath
      )
    }
  }
  /**
   * Gets or creates the path to the credentials config file in RUNNER_TEMP.
   * @returns The absolute path to the credentials config file
   */
  private getCredentialsConfigPath(): string {
    if (this.credentialsConfigPath) {
      return this.credentialsConfigPath
    }
    const runnerTemp = process.env['RUNNER_TEMP'] || ''
    assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
    // Create a unique filename for this checkout instance
    const configFileName = `git-credentials-${uuid()}.config`
    this.credentialsConfigPath = path.join(runnerTemp, configFileName)
    core.debug(`Credentials config path: ${this.credentialsConfigPath}`)
    return this.credentialsConfigPath
  }
  /**
   * Removes SSH authentication configuration by cleaning up SSH keys,
   * known hosts files, and SSH command configurations.
   */
  private async removeSsh(): Promise<void> {
    // SSH key
    const keyPath = this.sshKeyPath || stateHelper.SshKeyPath
    if (keyPath) {
      try {
        core.info(`Removing SSH key '${keyPath}'`)
        await io.rmRF(keyPath)
      } catch (err) {
        core.debug(`${(err as any)?.message ?? err}`)
@@ -451,91 +335,88 @@ class GitAuthHelper {
      this.sshKnownHostsPath || stateHelper.SshKnownHostsPath
    if (knownHostsPath) {
      try {
        core.info(`Removing SSH known hosts '${knownHostsPath}'`)
        await io.rmRF(knownHostsPath)
-      } catch (err) {
+      } catch {
-        core.debug(`${(err as any)?.message ?? err}`)
+        // Intentionally empty
        core.warning(`Failed to remove SSH known hosts '${knownHostsPath}'`)
      }
    }
    // SSH command
    core.info('Removing SSH command configuration')
    await this.removeGitConfig(SSH_COMMAND_KEY)
    await this.removeSubmoduleGitConfig(SSH_COMMAND_KEY)
  }
  /**
   * Removes token-based authentication by cleaning up HTTP headers,
   * includeIf entries, and credentials config files.
   */
  private async removeToken(): Promise<void> {
-    // Remove HTTP extra header
+    // Remove HTTP extra header from local git config and submodule configs
    core.info('Removing HTTP extra header')
    await this.removeGitConfig(this.tokenConfigKey)
    await this.removeSubmoduleGitConfig(this.tokenConfigKey)
-    // Collect credentials config paths that need to be removed
+    //
-    const credentialsPaths = new Set<string>()
+    // Cleanup actions/checkout@v6 style credentials
-
+    //
-    // Remove includeIf entries that point to git-credentials-*.config files
+    const skipV6Cleanup = process.env['ACTIONS_CHECKOUT_SKIP_V6_CLEANUP']
-    core.info('Removing includeIf entries pointing to credentials config files')
+    if (skipV6Cleanup === '1' || skipV6Cleanup?.toLowerCase() === 'true') {
-    const mainCredentialsPaths = await this.removeIncludeIfCredentials()
+      core.debug(
-    mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
+        'Skipping v6 style cleanup due to ACTIONS_CHECKOUT_SKIP_V6_CLEANUP'
-
+      )
-    // Remove submodule includeIf entries that point to git-credentials-*.config files
+      return
    const submoduleConfigPaths = await this.git.getSubmoduleConfigPaths(true)
    for (const configPath of submoduleConfigPaths) {
      const submoduleCredentialsPaths =
        await this.removeIncludeIfCredentials(configPath)
      submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
    }
-    // Remove credentials config files
+    try {
-    for (const credentialsPath of credentialsPaths) {
+      // Collect credentials config paths that need to be removed
-      // Only remove credentials config files if they are under RUNNER_TEMP
+      const credentialsPaths = new Set<string>()
-      const runnerTemp = process.env['RUNNER_TEMP']
+
-      assert.ok(runnerTemp, 'RUNNER_TEMP is not defined')
+      // Remove includeIf entries that point to git-credentials-*.config files
-      if (credentialsPath.startsWith(runnerTemp)) {
+      const mainCredentialsPaths = await this.removeIncludeIfCredentials()
-        try {
+      mainCredentialsPaths.forEach(path => credentialsPaths.add(path))
-          core.info(`Removing credentials config '${credentialsPath}'`)
+
-          await io.rmRF(credentialsPath)
+      // Remove submodule includeIf entries that point to git-credentials-*.config files
-        } catch (err) {
+      try {
-          core.debug(`${(err as any)?.message ?? err}`)
+        const submoduleConfigPaths =
-          core.warning(
+          await this.git.getSubmoduleConfigPaths(true)
-            `Failed to remove credentials config '${credentialsPath}'`
+        for (const configPath of submoduleConfigPaths) {
-          )
+          const submoduleCredentialsPaths =
            await this.removeIncludeIfCredentials(configPath)
          submoduleCredentialsPaths.forEach(path => credentialsPaths.add(path))
        }
-      } else {
+      } catch (err) {
-        core.debug(
+        core.debug(`Unable to get submodule config paths: ${err}`)
-          `Skipping removal of credentials config '${credentialsPath}' - not under RUNNER_TEMP`
+      }
-        )
+
      // Remove credentials config files
      for (const credentialsPath of credentialsPaths) {
        // Only remove credentials config files if they are under RUNNER_TEMP
        const runnerTemp = process.env['RUNNER_TEMP']
        if (runnerTemp && credentialsPath.startsWith(runnerTemp)) {
          try {
            await io.rmRF(credentialsPath)
          } catch (err) {
            core.debug(
              `Failed to remove credentials config '${credentialsPath}': ${err}`
            )
          }
        }
      }
    } catch (err) {
      core.debug(`Failed to cleanup v6 style credentials: ${err}`)
    }
  }
  private async removeGitConfig(
    configKey: string,
    submoduleOnly: boolean = false
  ): Promise<void> {
    if (!submoduleOnly) {
      if (
        (await this.git.configExists(configKey)) &&
        !(await this.git.tryConfigUnset(configKey))
      ) {
        // Load the config contents
        core.warning(`Failed to remove '${configKey}' from the git config`)
      }
    }
  }
  /**
   * Removes a git config key from the local repository config.
   * @param configKey The git config key to remove
   */
  private async removeGitConfig(configKey: string): Promise<void> {
    if (
      (await this.git.configExists(configKey)) &&
      !(await this.git.tryConfigUnset(configKey))
    ) {
      // Load the config contents
      core.warning(`Failed to remove '${configKey}' from the git config`)
    }
  }
  /**
   * Removes a git config key from all submodule configs.
   * @param configKey The git config key to remove
   */
  private async removeSubmoduleGitConfig(configKey: string): Promise<void> {
    const pattern = regexpHelper.escape(configKey)
    await this.git.submoduleForeach(
-      // Wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline.
+      // wrap the pipeline in quotes to make sure it's handled properly by submoduleForeach, rather than just the first part of the pipeline
      `sh -c "git config --local --name-only --get-regexp '${pattern}' && git config --local --unset-all '${configKey}' || :"`,
      true
    )
@@ -543,6 +424,7 @@ class GitAuthHelper {
  /**
   * Removes includeIf entries that point to git-credentials-*.config files.
   * This handles cleanup of credentials configured by newer versions of the action.
   * @param configPath Optional path to a specific git config file to operate on
   * @returns Array of unique credentials config file paths that were found and removed
   */
@@ -578,18 +460,16 @@ class GitAuthHelper {
      }
    } catch (err) {
      // Ignore errors - this is cleanup code
-      if (configPath) {
+      core.debug(
-        core.debug(`Error during includeIf cleanup for ${configPath}: ${err}`)
+        `Error during includeIf cleanup${configPath ? ` for ${configPath}` : ''}: ${err}`
-      } else {
+      )
        core.debug(`Error during includeIf cleanup: ${err}`)
      }
    }
    return Array.from(credentialsPaths)
  }
  /**
-   * Tests if a path matches the git-credentials-*.config pattern.
+   * Tests if a path matches the git-credentials-*.config pattern used by newer versions.
   * @param path The path to test
   * @returns True if the path matches the credentials config pattern
   */
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -28,8 +28,7 @@ export interface IGitCommandManager {
    configKey: string,
    configValue: string,
    globalConfig?: boolean,
-    add?: boolean,
+    add?: boolean
    configFile?: string
  ): Promise<void>
  configExists(configKey: string, globalConfig?: boolean): Promise<boolean>
  fetch(
@@ -37,6 +36,7 @@ export interface IGitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void>
@@ -240,15 +240,9 @@ class GitCommandManager {
    configKey: string,
    configValue: string,
    globalConfig?: boolean,
-    add?: boolean,
+    add?: boolean
    configFile?: string
  ): Promise<void> {
-    const args: string[] = ['config']
+    const args: string[] = ['config', globalConfig ? '--global' : '--local']
    if (configFile) {
      args.push('--file', configFile)
    } else {
      args.push(globalConfig ? '--global' : '--local')
    }
    if (add) {
      args.push('--add')
    }
@@ -279,13 +273,14 @@ class GitCommandManager {
    options: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    }
  ): Promise<void> {
    const args = ['-c', 'protocol.version=2', 'fetch']
-    // Always use --no-tags for explicit control over tag fetching
+    if (!refSpec.some(x => x === refHelper.tagsRefSpec) && !options.fetchTags) {
-    // Tags are fetched explicitly via refspec when needed
+      args.push('--no-tags')
-    args.push('--no-tags')
+    }
    args.push('--prune', '--no-recurse-submodules')
    if (options.showProgress) {
@@ -728,19 +723,7 @@ class GitCommandManager {
      }
    }
    // Set the user agent
-    let gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
+    const gitHttpUserAgent = `git/${this.gitVersion} (github-actions-checkout)`
    // Append orchestration ID if set
    const orchId = process.env['ACTIONS_ORCHESTRATION_ID']
    if (orchId) {
      // Sanitize the orchestration ID to ensure it contains only valid characters
      // Valid characters: 0-9, a-z, _, -, .
      const sanitizedId = orchId.replace(/[^a-z0-9_.-]/gi, '_')
      if (sanitizedId) {
        gitHttpUserAgent = `${gitHttpUserAgent} actions_orchestration_id/${sanitizedId}`
      }
    }
    core.debug(`Set git useragent to: ${gitHttpUserAgent}`)
    this.gitEnv['GIT_HTTP_USER_AGENT'] = gitHttpUserAgent
  }
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -159,6 +159,7 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
    const fetchOptions: {
      filter?: string
      fetchDepth?: number
      fetchTags?: boolean
      showProgress?: boolean
    } = {}
@@ -181,35 +182,12 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        await git.fetch(refSpec, fetchOptions)
        // Verify the ref now matches. For branches, the targeted fetch above brings
        // in the specific commit. For tags (fetched by ref), this will fail if
        // the tag was moved after the workflow was triggered.
        if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
          throw new Error(
            `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
              `The ref may have been updated after the workflow was triggered.`
          )
        }
      }
    } else {
      fetchOptions.fetchDepth = settings.fetchDepth
-      const refSpec = refHelper.getRefSpec(
+      fetchOptions.fetchTags = settings.fetchTags
-        settings.ref,
+      const refSpec = refHelper.getRefSpec(settings.ref, settings.commit)
        settings.commit,
        settings.fetchTags
      )
      await git.fetch(refSpec, fetchOptions)
      // For tags, verify the ref still points to the expected commit.
      // Tags are fetched by ref (not commit), so if a tag was moved after the
      // workflow was triggered, we would silently check out the wrong commit.
      if (!(await refHelper.testRef(git, settings.ref, settings.commit))) {
        throw new Error(
          `The ref '${settings.ref}' does not point to the expected commit '${settings.commit}'. ` +
            `The ref may have been updated after the workflow was triggered.`
        )
      }
    }
    core.endGroup()
--- a/src/misc/generate-docs.ts
+++ b/src/misc/generate-docs.ts
@@ -120,7 +120,7 @@ function updateUsage(
 }
 updateUsage(
-  'actions/checkout@v6',
+  'actions/checkout@v5',
  path.join(__dirname, '..', '..', 'action.yml'),
  path.join(__dirname, '..', '..', 'README.md')
 )
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -76,75 +76,55 @@ export function getRefSpecForAllHistory(ref: string, commit: string): string[] {
  return result
 }
-export function getRefSpec(
+export function getRefSpec(ref: string, commit: string): string[] {
  ref: string,
  commit: string,
  fetchTags?: boolean
 ): string[] {
  if (!ref && !commit) {
    throw new Error('Args ref and commit cannot both be empty')
  }
  const upperRef = (ref || '').toUpperCase()
  const result: string[] = []
  // When fetchTags is true, always include the tags refspec
  if (fetchTags) {
    result.push(tagsRefSpec)
  }
  // SHA
  if (commit) {
    // refs/heads
    if (upperRef.startsWith('REFS/HEADS/')) {
      const branch = ref.substring('refs/heads/'.length)
-      result.push(`+${commit}:refs/remotes/origin/${branch}`)
+      return [`+${commit}:refs/remotes/origin/${branch}`]
    }
    // refs/pull/
    else if (upperRef.startsWith('REFS/PULL/')) {
      const branch = ref.substring('refs/pull/'.length)
-      result.push(`+${commit}:refs/remotes/pull/${branch}`)
+      return [`+${commit}:refs/remotes/pull/${branch}`]
    }
    // refs/tags/
    else if (upperRef.startsWith('REFS/TAGS/')) {
-      if (!fetchTags) {
+      return [`+${commit}:${ref}`]
        result.push(`+${ref}:${ref}`)
      }
    }
    // Otherwise no destination ref
    else {
-      result.push(commit)
+      return [commit]
    }
  }
  // Unqualified ref, check for a matching branch or tag
  else if (!upperRef.startsWith('REFS/')) {
-    result.push(`+refs/heads/${ref}*:refs/remotes/origin/${ref}*`)
+    return [
-    if (!fetchTags) {
+      `+refs/heads/${ref}*:refs/remotes/origin/${ref}*`,
-      result.push(`+refs/tags/${ref}*:refs/tags/${ref}*`)
+      `+refs/tags/${ref}*:refs/tags/${ref}*`
-    }
+    ]
  }
  // refs/heads/
  else if (upperRef.startsWith('REFS/HEADS/')) {
    const branch = ref.substring('refs/heads/'.length)
-    result.push(`+${ref}:refs/remotes/origin/${branch}`)
+    return [`+${ref}:refs/remotes/origin/${branch}`]
  }
  // refs/pull/
  else if (upperRef.startsWith('REFS/PULL/')) {
    const branch = ref.substring('refs/pull/'.length)
-    result.push(`+${ref}:refs/remotes/pull/${branch}`)
+    return [`+${ref}:refs/remotes/pull/${branch}`]
  }
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    if (!fetchTags) {
      result.push(`+${ref}:${ref}`)
    }
  }
  // Other refs
  else {
-    result.push(`+${ref}:${ref}`)
+    return [`+${ref}:${ref}`]
  }
  return result
 }
 /**
@@ -190,10 +170,8 @@ export async function testRef(
  // refs/tags/
  else if (upperRef.startsWith('REFS/TAGS/')) {
    const tagName = ref.substring('refs/tags/'.length)
    // Use ^{commit} to dereference annotated tags to their underlying commit
    return (
-      (await git.tagExists(tagName)) &&
+      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
      commit === (await git.revParse(`${ref}^{commit}`))
    )
  }
  // Unexpected